CVE-2026-32613

Spinnaker · Spinnaker

A SPeL injection vulnerability in the Spinnaker Echo service allows remote attackers to execute arbitrary Java code and access system files with full JVM privileges.

Executive summary

Spinnaker is subject to a critical remote code execution vulnerability that allows attackers to gain full system access via insecure SPeL expression processing.

Vulnerability

The Echo service fails to restrict SPeL (Spring Expression Language) to a trusted context, allowing an authenticated or unauthenticated attacker (depending on deployment) to invoke arbitrary Java classes and execute commands on the underlying host.

Business impact

The severity of this vulnerability is underscored by its CVSS score of 9.9, reflecting the potential for full system compromise. Successful exploitation grants attackers the ability to execute arbitrary commands, access sensitive credentials, and pivot within the infrastructure, leading to catastrophic data breaches and loss of control over the CI/CD pipeline.

Remediation

Immediate Action: Upgrade Spinnaker to version 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2. If patching cannot be performed immediately, disable the Echo service as a temporary workaround.

Proactive Monitoring: Review system logs for unusual process execution or unauthorized file access originating from the Echo service component.

Compensating Controls: Deploy a Web Application Firewall (WAF) or Runtime Application Self-Protection (RASP) tool to detect and block malicious expression language payloads directed at the Spinnaker services.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This vulnerability represents a total compromise vector. Security teams must treat this as a high-priority incident, ensuring that all Spinnaker instances are updated to the secure versions or that the vulnerable service is disabled to prevent exploitation.